Popular

October 15, 2008

Teaching Consumers On-Line Safety Easiest When They Take the Bait

by Sam Savage

The Anti-Phishing Working Group (APWG) and Carnegie Mellon University's Supporting Trust Decisions Project have established a phishing page redirect initiative that protects global online consumers who have been tricked into clicking links in scam emails by delivering them to Web pages that instruct them on the dangers of phishing - and how to avoid them. The program was announced today at the APWG conference in Atlanta.

The AWPG/Carnegie Mellon Phishing Education Landing Page program builds on the philosophy of using the "teachable moment" to warn users immediately after they've fallen for a phishing lure and then give them on-line safety instruction precisely at a time when they are receptive to it. Phishing sites are designed to resemble Web sites of legitimate businesses, such as banks and online retailers, to trick people into revealing credit card numbers, bank accounts or login names and passwords. Actionable messaging will help consumers to avoid falling victim to these scams a second time.

"We are excited about the opportunity to educate consumers as they are falling victim to a phishing site," said Dr. Laura Mather, Managing Director of Operational Policy for the APWG and CEO of Silver Tail Systems. "We see this initiative as having real impact in helping people understand when they have received a phishing communication so that they can protect themselves going forward."

This education-at-time-of-action is accomplished by leveraging the URLs of the phishing sites themselves after anti-phishing investigators have identified the sites and shut them down. Instead of leaving the URL file blank, returning a 'PAGE NOT FOUND' message to consumers following phishing links, they will be served a page of instruction on how to avoid phishing and reduce the risk of falling victim to electronic crime. (Redirect scripts placed at the sanitized phishing URL will automatically forward the advisory content.)

"Our research has shown that most Internet users don't know very much about online scams and don't realize that there are some simple things they can do to protect themselves," said Dr. Lorrie Cranor, an associate professor of computer science and engineering & public policy at Carnegie Mellon and director of the Supporting Trust Decisions Project.

Ponnurangam Kumaraguru, a computer science Ph.D. student who is leading the effort to design and evaluate anti-phishing training materials at Carnegie Mellon added, "Nobody wants to spend their time taking on-line safety courses. But we've demonstrated that users are receptive to on-line safety instruction immediately after they fall for a phishing attack and they tend to remember this instruction."

The phishing education landing page developed by APWG and Carnegie Mellon teaches would-be victims not to give out personal information upon email request and to use a skeptical eye in judging online communications.

The implementation of the program depends on the participation of both takedown service providers and the ISPs and other companies whose servers have been co-opted to host phishing sites. The APWG is already successfully recruiting companies that perform phishing site takedowns, victimized brandholders and trade associations to encourage ISPs and other organizations that remove phish sites to use the APWG's education landing page program.

The program is based on a similar program initiated by Bank of America in 2007. The APWG/Carnegie Mellon program builds on Bank of America's ideas by creating a page that can be used for phishing site against any brand. Bank of America has already implemented the APWG/Carnegie Mellon program.

"Bank of America is committed to providing its customers with industry leading security tools and advice to protect them and enhance their overall customer experience. Educating our customers about the risks of identity theft and fraud is critical," says David Shroyer, SVP for eCommerce Online Security at Bank of America.

"We know from experience that an educated customer is the best defense against fraud, and with this program we are educating our customers at the point of incidence, and letting customers know that we are working to protect them," Mr. Shroyer said.

The APWG/Carnegie Mellon scheme will augment the usual procedure for communicating to the hosting organization about phishing sites. Instead of asking that the site be disabled and file content associated with the phishing URL removed, the takedown provider or victimized brandholder would request that the URL be preserved and a redirect script send the duped user to a webpage hosted by the APWG.

The education landing page will automatically determine whether the user is using a PC or laptop or handheld device and vend the device-appropriate page. Users of PDAs and Web-enabled cell phones will receive a page exclusively of text. People using PCs and laptops will receive an enhanced page of text, graphics and a number of links to online resources.

The APWG/Carnegie Mellon scheme will augment the usual procedure for communicating to the hosting organization about phishing sites. Instead of asking that the site be disabled and file content associated with the phishing URL removed, the takedown provider or victimized brandholder would request that the URL be preserved and a redirect script send the duped user to a webpage hosted by the APWG.

The APWG page will automatically determine whether the user is using a PC or laptop or handheld device and vend the device-appropriate page. Users of PDAs and Web-enabled cell phones will receive a page exclusively of text. People using PCs and laptops will receive an enhanced page of text, graphics and a number of links to online resources.

"This initiative gives takedown teams, ISPs, registrars, and registries the opportunity to take one more step in protecting consumers against identity theft and the other crimes perpetrated by Phishers," said Dr. Mather.

As a next step, the APWG will organize the translation of the pages into various languages to serve the larger international community of consumers, brandholders and ISPs who are confronting the threats of electronic crime and engaging questions of efficacious consumer education.

About the Carnegie Mellon Supporting Trust Decisions Project. The Supporting Trust Decisions Project (http://cups.cs.cmu.edu/trust) is a research project affiliated with Carnegie Mellon University's CyLab and the CMU Usable Privacy and Security Laboratory. The project has developed a number of approaches to end-user security education as well as automated tools for detecting phishing attacks. These user education tools and phishing filters are being commercialized by Wombat Security Technologies, Inc. This project is sponsored by the US National Science Foundation, Fundacao para a Ciencia e Tecnologia Portugal under a grant from the Information and Communications Technology Institute at Carnegie Mellon, and by the Army Research Office.